CN113114619A - Video identification analysis method, device and system based on Handle system - Google Patents

Video identification analysis method, device and system based on Handle system Download PDF

Info

Publication number
CN113114619A
CN113114619A CN202110231533.0A CN202110231533A CN113114619A CN 113114619 A CN113114619 A CN 113114619A CN 202110231533 A CN202110231533 A CN 202110231533A CN 113114619 A CN113114619 A CN 113114619A
Authority
CN
China
Prior art keywords
video
handle
video data
server
terminal equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110231533.0A
Other languages
Chinese (zh)
Other versions
CN113114619B (en
Inventor
王滨
王星
林克章
张峰
万里
李俊
王冲华
陈志远
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Hikvision Digital Technology Co Ltd
Original Assignee
Hangzhou Hikvision Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Hikvision Digital Technology Co Ltd filed Critical Hangzhou Hikvision Digital Technology Co Ltd
Priority to CN202110231533.0A priority Critical patent/CN113114619B/en
Publication of CN113114619A publication Critical patent/CN113114619A/en
Application granted granted Critical
Publication of CN113114619B publication Critical patent/CN113114619B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/06Notations for structuring of protocol data, e.g. abstract syntax notation one [ASN.1]

Abstract

The application provides a video identification analysis method, a device and a system based on a Handle system, wherein the method comprises the following steps: the method comprises the steps that terminal equipment acquires LHS service site information matched with an identification prefix according to the identification prefix of a video identification to be analyzed; the terminal equipment sends a video identifier analysis request aiming at the video identifier to be analyzed to the LHS service site according to the LHS service site information; the terminal equipment receives encrypted video data sent by the Handle server and receives a video data encryption key sent by the Handle server; and the terminal equipment decrypts the encrypted video data according to the video data encryption key. The method can improve the safety of the video data.

Description

Video identification analysis method, device and system based on Handle system
Technical Field
The application relates to the field of internet security, in particular to a method, a device and a system for analyzing video identification based on a Handle system.
Background
In recent years, the research on the security of the industrial internet is more and more focused by academia and industry, on one hand, with the continuous emergence of applications such as the internet of things, 5G technology, industrial intelligence and the like, the number of industrial equipment, sensors and the like is exponentially increased, and on the other hand, the awareness of people on privacy data and security protection is continuously enhanced. The security and safety of security monitoring videos in the industrial internet are very important.
The video data encryption technology widely used at present is an HLS (HyperText Transfer Protocol) Live Streaming (HTTP-based adaptive bitrate Streaming media transport Protocol) video slice encryption technology, which is an HTTP-based Streaming media network transport Protocol and has a basic principle that a server divides a file or a media stream into small segments according to different code rates for transmission. When playing the code stream, the client can select the code stream with proper code rate to download and play in the standby sources with different code rates of the same video content according to the bandwidth and performance limit of the client.
HLS as a streaming media protocol has the advantages of being simple and beneficial to real-time on-demand, but has the disadvantage that m3u8 (a streaming media file format) in the HLS protocol itself contains decrypted key information, and an attacker can easily take a URL (Uniform Resource Locator) address of the key to crack.
Disclosure of Invention
In view of this, the present application provides a method, an apparatus, and a system for analyzing a video identifier based on a Handle system.
Specifically, the method is realized through the following technical scheme:
according to a first aspect of the embodiments of the present application, a method for analyzing video identifiers based on a Handle system is provided, including:
the method comprises the steps that terminal equipment acquires LHS service site information matched with an identification prefix according to the identification prefix of a video identification to be analyzed;
the terminal equipment sends a video identifier analysis request aiming at the video identifier to be analyzed to an LHS service site according to the LHS service site information, so that the LHS service site determines a Handle server matched with the identifier suffix according to the identifier suffix of the video identifier to be analyzed carried in the video identifier analysis request, and sends the video identifier analysis request to the Handle server, wherein the Handle server is used for encrypting and storing video data of security and protection video monitoring equipment in the industrial internet;
the terminal equipment receives encrypted video data sent by the Handle server and receives a video data encryption key sent by the Handle server; the video data encryption key is sent by the Handle server after the terminal equipment is authenticated;
and the terminal equipment decrypts the encrypted video data according to the video data encryption key.
According to a second aspect of the embodiments of the present application, there is provided a video identifier parsing apparatus based on a Handle system, which is applied to a terminal device, and the apparatus includes:
the acquisition unit is used for acquiring LHS service site information matched with the identification prefix according to the identification prefix of the video identification to be analyzed;
the acquisition unit is further configured to send a video identifier parsing request for the video identifier to be parsed to an LHS service site according to the LHS service site information, so that the LHS service site determines a Handle server matched with the identifier suffix according to the identifier suffix of the video identifier to be parsed carried in the video identifier parsing request, and sends the video identifier parsing request to the Handle server, where the Handle server is configured to encrypt and store video data of security and protection video monitoring equipment in the industrial internet;
the acquisition unit is further used for receiving the encrypted video data sent by the Handle server and receiving a video data encryption key sent by the Handle server; the video data encryption keys are respectively sent by the Handle server after the terminal equipment is authenticated;
and the processing unit is used for decrypting the encrypted video data according to the video data encryption key.
According to a third aspect of the embodiments of the present application, there is provided a video identifier parsing system of a Handle system, including: the system comprises terminal equipment, LHS service sites and a Handle server; wherein:
the terminal equipment is used for acquiring LHS service site information matched with the identification prefix according to the identification prefix of the video identification to be analyzed, and sending a video identification analysis request aiming at the video identification to be analyzed to an LHS service site according to the LHS service site information;
the LHS service site is used for determining a Handle server matched with the identifier suffix according to the identifier suffix of the video identifier to be analyzed carried in the video identifier analysis request, and sending the video identifier analysis request to the Handle server;
the Handle server is used for encrypting and storing video data of security video monitoring equipment in the industrial internet, respectively sending encrypted video data to the terminal equipment when receiving the video identification analysis request, and sending a video data encryption key to the terminal equipment, wherein the video data encryption key is sent after the terminal equipment is authenticated;
and the terminal equipment is also used for decrypting the encrypted video data according to the video data encryption key.
According to the video identifier analyzing method based on the Handle system, the terminal equipment obtains LHS service site information matched with the identifier prefix according to the identifier prefix of the video identifier to be analyzed, sends a video identifier analyzing request aiming at the video identifier to be analyzed to the LHS service site according to the LHS service site information, further receives encrypted video data sent by the Handle server, receives a video data encryption key sent by the Handle server, decrypts the encrypted video data according to the video data encryption key, encrypts and stores the video data through the Handle server by introducing the Handle system into the industrial internet, and when the terminal equipment needs to obtain the video data stored in the Handle server, the LHS service site information matched with the identifier prefix can be obtained according to the identifier prefix of the corresponding video identifier, and the video identifier carrying the video identifier is sent to the LHS service site according to the LHS service site information And identifying and analyzing the request, wherein the LHS service site forwards the video identification analysis request to a Handle server matched with the identification suffix, and the Handle server can send the stored encrypted video data to the terminal equipment and send the video data encryption key to the terminal equipment after the terminal equipment is authenticated, so that the terminal equipment decrypts the received encrypted video data according to the received video data encryption key, and the safety of the video data is improved.
Drawings
Fig. 1 is a flowchart illustrating a video identifier parsing method based on a Handle system according to an exemplary embodiment of the present application;
fig. 2 is a schematic diagram of a video identifier parsing architecture implemented based on a Handle system in the industrial internet according to an embodiment of the present application;
fig. 3 is a schematic flow chart illustrating uploading of a video data stream according to an exemplary embodiment of the present application;
fig. 4 is a flowchart illustrating an implementation process of authenticating a client identity by a Handle server according to an exemplary embodiment of the present application;
fig. 5 is a schematic structural diagram of a video identifier parsing apparatus based on a Handle system according to an exemplary embodiment of the present application;
fig. 6 is a schematic structural diagram of another Handle system-based video identity resolution device according to yet another exemplary embodiment of the present application;
fig. 7 is a schematic diagram illustrating a hardware structure of an electronic device according to an exemplary embodiment of the present application;
fig. 8 is a schematic structural diagram of a Handle system-based video identity resolution system according to an exemplary embodiment of the present application;
fig. 9 is a schematic structural diagram of another Handle system-based video identity resolution system according to another exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In order to make the technical solutions provided in the embodiments of the present application better understood and make the above objects, features and advantages of the embodiments of the present application more comprehensible, the technical solutions in the embodiments of the present application are described in further detail below with reference to the accompanying drawings.
Referring to fig. 1, a schematic flow chart of a video identifier parsing method based on a Handle system according to an embodiment of the present application is shown in fig. 1, where the video identifier parsing method based on the Handle system may include the following steps:
and step S100, the terminal equipment acquires LHS service site information matched with the identification prefix according to the identification prefix of the video identification to be analyzed.
In this embodiment of the application, when a video data acquisition request exists in a terminal device, for example, when video data stored in a designated Handle server needs to be acquired, the terminal device may acquire Local Handle Service (LHS) Service site information matched with a Handle identifier (which may be referred to as a to-be-analyzed video identifier or simply referred to as a Handle) corresponding to the designated Handle server according to the identifier prefix of the Handle identifier.
Illustratively, the Handle server is used for carrying out encrypted storage on video data of security video monitoring equipment (such as a camera and an entrance guard alarm) in the industrial internet.
For example, security and protection video monitoring equipment in the industrial internet can transmit collected video data to a corresponding Handle server in a data stream mode in real time for storage.
For example, the security video monitoring device may encode the collected video data, slice the video data into a video file in an m3u8 format, and transmit the video file to a corresponding Handle server.
The Handle identifier may include an identifier prefix (which may be simply referred to as a prefix) and an identifier suffix (which may be simply referred to as a suffix). The prefix is the naming authority (corresponding to a LHS service site) and the suffix is the unique local name under the naming authority (corresponding to a Handle server in the LHS service site), separated by "/".
For example, in order to obtain video data stored by a specified Handle server, LHS service site information matched with a Handle identifier corresponding to the specified Handle server may be obtained according to the identifier prefix of the Handle identifier.
For example, the terminal device may send a service site information acquisition request carrying an identifier prefix to a GHR (Global Handle Registry) according to the identifier prefix of the video identifier to be analyzed, so as to acquire LHS service site information matched with the identifier prefix.
Step S110, the terminal equipment sends a video identifier analysis request aiming at the video identifier to be analyzed to the LHS service site according to the LHS service site information, so that the LHS service site determines a Handle server matched with the identifier suffix according to the identifier suffix of the video identifier to be analyzed carried in the video identifier analysis request, and sends the video identifier analysis request to the Handle server.
In the embodiment of the application, when the terminal device acquires the LHS service site information matched with the identifier prefix of the video identifier to be analyzed, a video identifier analysis request for the video identifier to be analyzed can be sent to the LHS service site according to the acquired LHS service site information.
For example, the video identifier parsing request may carry identification information of the terminal device and an identifier suffix of the video identifier to be parsed.
When the LHS service site receives the video identifier analysis request, the method can determine a Handle server matched with the identifier suffix according to the identifier suffix of the video identifier to be analyzed carried in the video identifier analysis request, and forwards the video identifier analysis request to the Handle server.
Step S120, the terminal equipment receives the encrypted video data sent by the Handle server and receives a video data encryption key sent by the Handle server; the video data encryption keys are respectively sent by the Handle server after the terminal equipment is authenticated.
In the embodiment of the application, when the Handle server receives the video identifier analysis request, in order to ensure the security of the data, the Handle server can send the encrypted video data and the video data encryption key to the terminal device respectively, so that the probability that the video data is acquired by an attacking device due to the fact that the data is intercepted and captured in the transmission process is reduced.
In addition, in order to avoid that the attack device directly acquires the encrypted video data and the video data from the Handle server, when the Handle server receives the video identifier analysis request, the terminal device may be authenticated first, and the video data encryption key is sent to the terminal device after the authentication is passed.
For example, in consideration of that the encrypted video data can be normally played after being decrypted by using the video data encryption key, in order to improve the data transmission efficiency, the encrypted video data may be sent to the terminal device when the video identifier parsing request is received (i.e., sent before the terminal device is authenticated).
Or after the terminal equipment passes the authentication, the Handle server sends the encrypted video data and the video data encryption key to the terminal equipment respectively, so that the security of the video data is further improved.
And S130, the terminal equipment decrypts the encrypted video data according to the video data encryption key.
In the embodiment of the application, when the terminal device acquires the encrypted video data and the video data encryption key in the above manner, the terminal device may decrypt the encrypted video data according to the acquired video data encryption key to obtain decrypted video data, and process the decrypted video data according to a requirement.
It can be seen that, in the method flow shown in fig. 1, by introducing a Handle system in the industrial internet, video data is encrypted and stored by a Handle server, when a terminal device needs to acquire video data stored in the Handle server, LHS service site information matched with the identification prefix can be acquired according to the identification prefix of the corresponding video identification, a video identification parsing request carrying the identification suffix of the video identification is sent to the LHS service site according to the LHS server site information, the LHS service site forwards the video identification parsing request to the Handle server matched with the identification suffix, the Handle server can send the stored encrypted video data to the terminal device, and send the video data encryption key to the terminal device after the terminal device is authenticated, so that the terminal device decrypts the received encrypted video data according to the received video data encryption key, the security of the video data is improved.
In some embodiments, the Handle server authenticates the terminal device, which may be implemented as follows:
the terminal equipment receives an inquiry request sent by a Handle server;
the terminal equipment signs the inquiry request according to a preset private key to obtain a first signature result;
the terminal equipment sends the first signature result to the Handle server so that the Handle server compares the first signature result with the second signature result and determines that the authentication is passed when the first signature result is consistent with the second signature result; when the first signature result is inconsistent with the second signature result, determining that the authentication is not passed; and the second signature result is obtained by the Handle server signing the inquiry request according to the private key of the terminal equipment.
Illustratively, when the Handle server receives a video identifier parsing request, an inquiry request may be sent to the terminal device according to the identifier information of the terminal device carried in the video identifier parsing request, so as to trigger authentication.
When receiving the challenge request sent by the Handle server, the terminal device may sign the received challenge request according to a preset private key to obtain a corresponding signature result (referred to as a first signature result herein), and send the first signature result to the Handle server.
When receiving the first signature result, the Handle server may compare the first signature result with a signature result (referred to as a second signature result herein) obtained by the Handle server signing the challenge request according to the private key of the terminal device, and if the first signature result and the second signature result are consistent, it is determined that the authentication is passed; and if the two are not consistent, determining that the authentication is not passed.
For example, the preset private keys may be different for different terminal devices, and in this case, when the Handle server authenticates the terminal device, the Handle server may obtain the private key of the terminal device according to the identification information of the terminal device, and encrypt the challenge request according to the obtained private key of the terminal device.
For example, in order to improve the authentication efficiency, when the Handle server sends the challenge request to the terminal device, the challenge request may be signed according to the private key of the terminal device before receiving the first signature result, so as to obtain a second signature result, and thus, when receiving the first signature result, there may be no need to wait for generation of the second signature result.
In an example, the signing, by the Handle server, of the challenge request according to a private key of the terminal device may include:
the method comprises the steps that a Handle server sends a private key obtaining request to a key management server to obtain a private key of a terminal device;
and the Handle server receives the private key of the terminal equipment sent by the key management server, and signs the inquiry request by using the private key of the terminal equipment to obtain a second signature result.
Illustratively, in order to further improve the reliability of device authentication, the private key for authenticating the device may not be stored in the Handle server, but may be maintained by a special device (referred to herein as a key management server).
Correspondingly, when the terminal device needs to be authenticated, the Handle server can send a private key acquisition request to the key management server to acquire the private key of the terminal device.
When the Handle server receives the private key of the terminal device sent by the key management server, the challenge request can be signed by using the private key of the terminal device, and a second signature result is obtained.
In some embodiments, the step S120 of receiving, by the terminal device, the video data encryption key sent by the Handle server may include:
after the terminal equipment passes the authentication, the Handle server sends the video data encryption key encrypted according to the pre-negotiated encryption mode to the terminal equipment; the video data encryption key is acquired from the key management server by the Handle server;
and the terminal equipment receives the encrypted video data encryption key sent by the Handle server.
Illustratively, to further improve the security of the video data, the video data is prevented from being acquired in the presence of an attack device successfully invading the Handle server, and the encrypted video data and the video data encryption key may be stored separately, that is, the video data encryption key is not stored in the Handle server, but is stored by a special device (which may be referred to as a key management server herein).
For example, the key management server and the key management server storing the private key may be the same key management server, or may be different key management servers, for example, the key management server storing the private key is a first key management server, and the key management server storing the video data encryption key is a second key management server.
In addition, in order to ensure the security of the video data encryption key in the transmission process, an encryption mode for encrypting the video data encryption key and a decryption mode for decrypting the encrypted video data encryption key can be negotiated in advance.
After the Handle server passes the authentication of the terminal device, the Handle server can encrypt the video data encryption key obtained from the key management server according to a pre-negotiated encryption mode and send the encrypted video data encryption key to the terminal device.
The Hanlde server can acquire the video data encryption key from the management server before the terminal equipment is authenticated, or can acquire the video data encryption key when the terminal equipment is authenticated.
Illustratively, in order to improve the video data transmission efficiency, the Handle server may obtain the video data encryption key from the management server before the terminal device is authenticated, so that when the Handle server passes the terminal device authentication, the user does not need to wait for obtaining the video data encryption key, and the video data encryption key can be sent to the terminal device more quickly.
When the terminal equipment receives the encrypted video data encryption key sent by the Handle server, the encrypted video data encryption key can be decrypted according to a pre-negotiated decryption mode to obtain the video data encryption key, and then the encrypted video data can be decrypted according to the video data encryption key.
For example, in order to improve the security of the video data encryption key in the process of acquiring the video data encryption key by the Handle server, the video data encryption key acquired by the Handle server may also be an encrypted video data encryption key, that is, when the key management server receives a video data encryption key acquisition request sent by the Handle server, the video data encryption key may be encrypted and sent to the Handle server, and the encrypted video data encryption key is decrypted by the Handle server to obtain the video data encryption key.
For example, when the key management server encrypts the video data encryption key, the video data encryption key may be encrypted in a pre-negotiated encryption manner; the Handle server can decrypt the encrypted video data encryption key according to a pre-negotiated decryption mode.
For example, when the video data encryption key obtained by the Handle server from the key management server is an encrypted video data encryption key, the encrypted video data encryption key sent by the Handle server to the terminal device may be an encrypted video data encryption key obtained from the key management server; or, the Handle server may decrypt the encrypted video data encryption key acquired from the key management server, re-encrypt the acquired video data encryption key, and send the encrypted video data encryption key to the terminal device.
For example, the encryption mode of the Handle server for encrypting the video data encryption key may be the same as or different from the encryption mode of the key management server for encrypting the video data encryption key.
In order to enable those skilled in the art to better understand the technical solutions provided in the embodiments of the present application, the following describes the technical solutions provided in the embodiments of the present application with reference to specific application scenarios.
Referring to fig. 2, a schematic view of a video identifier parsing architecture implemented based on a Handle system in an industrial internet according to an embodiment of the present application is shown in fig. 2, where the architecture may include a security video monitoring device, a Handle server, a GHR, and a client (which may also be referred to as a terminal device).
Based on the architecture shown in fig. 2, the implementation flow of the video identifier parsing scheme provided in the embodiment of the present application is as follows:
step 1, the security video monitoring equipment transmits the collected data to a corresponding Handle server in a data stream mode in real time for storage.
For example, referring to fig. 3, as shown in fig. 3, the security video monitoring device may encode the collected video data by using an encoder, perform segmentation to obtain a fragmented video data stream, and transmit the fragmented video data stream to a Handle video server.
For example, in order to improve the security of video data, the video data and a key for encrypting the video data (i.e., the video data encryption key, which may also be referred to as a video key) may be stored separately, the video data is stored in a Handle video server, and the video data encryption key is stored in a Handle key server, that is, the Handle server may include a Handle video server and a Handle key server (i.e., the key management server may be a Handle key server).
As shown in fig. 3, the Handle video server may obtain a video key from the Handle key server, and encrypt the fragmented video data stream using the obtained video key to obtain encrypted video data stream fragments, and store the encrypted video data stream fragments.
For example, in order to improve the security of the video key, the Handle key server may encrypt the video key according to a pre-negotiated encryption mode, transmit the encrypted video key to the Handle video server, decrypt the encrypted video key by the Handle video server according to a pre-negotiated decryption mode to obtain the video key, and encrypt the fragmented video data stream by using the video key.
For example, the Handle key server may encrypt the video key using RSA algorithm (an encryption algorithm), and transmit the encrypted video key to the Handle video server; the Handle video server decrypts by using the same algorithm to obtain the video key, and encrypts the video data stream fragment by using the video key obtained by decryption, so that the video key is prevented from being intercepted and captured when being transmitted between the Handle video server and the Handle key server, the safety of the video key is improved, and the safety of the video data is further improved.
And step 2, the client sends a Handle prefix to the GHR, and step 3, the GHR returns the LHS service site information to the client.
Illustratively, the naming of the Handle may include a prefix, which is a naming authority (corresponding to one of the LHS services sites), and a suffix, which is a unique local name under the naming authority (corresponding to one of the Handle video servers in the LHS services sites), separated by "/". The client needs to acquire the service information of the naming authority, and the service information of the naming authority is stored by the GHR, so that the client can request the service information of the naming authority from the GHR, retrieve the LHS service site corresponding to the prefix, and return the LHS service site information (which may be referred to as service site information for short) to the client by the GHR.
And 4, the client sends a Handle identification analysis request to the LHS service site according to the LHS service site information so as to request a Handle value set.
Illustratively, the Handle value set includes the video key and the encrypted video data (i.e., encrypted video data stream fragments).
And 5, returning the encrypted video data stream fragments to the client by the Handle server.
And 6, authenticating the identity of the client by the Handle server.
For example, in order to ensure the security of video data, before the Handle server sends the video key to the client, the identity of the client needs to be authenticated, and after the authentication is passed, the video key needs to be sent to the client.
For example, the implementation process of the Handle server for authenticating the identity of the client can be shown in fig. 4, and as shown in fig. 4, the client can send an authentication request to the Handle server.
For example, the client may send an authentication request to the Handle video server upon receiving the encrypted video data stream fragments sent by the Handle video server.
When receiving an authentication request sent by a client, the Handle video server can send a challenge request to the client; the client signs the challenge request by using a private key to form a digital signature and sends the digital signature to the Handle video server again; the Handle video server requests a private key of the client from the Handle key server, the inquiry is encrypted to form a digital certificate, and whether the digital signature is matched with the digital certificate is verified to judge whether the identity of the client is legal or not.
For example, the implementation of the flow in which the Handle video server requests the Handle key for the private key of the client may also perform encrypted transmission on the private key of the client according to the processing manner in the "video key" request flow, and the specific implementation thereof is not described herein again.
Illustratively, the client and the Handle key server use the same administrator private key, and when receiving the challenge request, the client may sign the challenge request using the administrator private key to obtain MAC (Message Authentication Code) information (which may be referred to as first MAC information, that is, the first signing result), and send the MAC information to the Handle video server; when the Handle video server receives the MAC information, the Handle video server may also sign the query request using an administrator private key obtained from the Handle key server to obtain MAC information (which may be referred to as second MAC information, i.e., the second signature result), compare the first MAC information and the second MAC information, and determine that the client identity authentication passes if the first MAC information and the second MAC information are the same; otherwise, determining that the client identity authentication is not passed.
Illustratively, the digital signature may be implemented by using an RSA algorithm, and the specific steps of the algorithm may be as follows:
two large prime numbers p and q are selected, n is p x q and phi (n) is (p-1) q-1, e and d are searched, e is phi (n) is identical to 1 and e is d is identical to 1(mod phi (n)), { p, q, d, phi (n) } are used as the private keys of the client and the manager of the Handle key server, and for a challenge h (m) coded by ASCII, the RSA digital signature calculation formula is as follows:
c1=(h(m))d modp,c2=(h(m))d mod q
SA(m)≡(c1q(1)q+c2p(1)p)mod n
SAand (m) sending the MAC information (namely the first MAC information) to the Handle video server as the client, and authenticating the MAC information by the server.
And 7, if the client identity authentication is passed, the Handle video server returns a video key to the client, and the client decrypts the encrypted video data by using the video key.
Illustratively, when the Handle video server sends the video key to the client, the encrypted video key may also be sent, and the client decrypts the video key to obtain the video key, so as to ensure the security of the video key transmission between the Handle video server and the client.
For example, the encrypted video key sent by the Handle video server to the client may be an encrypted video key obtained from the Handle key server; alternatively, the Handle video server may encrypt the video key by using a pre-negotiated encryption method.
Illustratively, the encryption manner of the video key by the Handle video server may be the same as or different from the encryption manner of the video key by the Handle key server.
The methods provided herein are described above. The following describes the apparatus and system provided by the present application:
referring to fig. 5, fig. 5 is a schematic structural diagram of a Handle system-based video identifier parsing apparatus according to an embodiment of the present application, where the Handle system-based video identifier parsing apparatus may be applied to a terminal device, and as shown in fig. 5, the Handle system-based video identifier parsing apparatus may include:
an obtaining unit 510, configured to obtain, according to an identifier prefix of a video identifier to be analyzed, LHS service site information matched with the identifier prefix;
the obtaining unit 510 is further configured to send a video identifier parsing request for the video identifier to be parsed to an LHS service site according to the LHS service site information, so that the LHS service site determines a Handle server matched with an identifier suffix according to the identifier suffix of the video identifier to be parsed carried in the video identifier parsing request, and sends the video identifier parsing request to the Handle server, where the Handle server is configured to encrypt and store video data of a security video monitoring device in an industrial internet;
the obtaining unit 510 is further configured to receive encrypted video data sent by the Handle server, and receive a video data encryption key sent by the Handle server; the video data encryption keys are respectively sent by the Handle server after the terminal equipment is authenticated;
the processing unit 520 is configured to decrypt the encrypted video data according to the video data encryption key.
In some embodiments, the obtaining unit 510 is further configured to receive a challenge request sent by the Handle server;
as shown in fig. 6, the Handle system based video identifier parsing apparatus may further include:
the authentication unit 530 is configured to sign the challenge request according to a preset private key to obtain a first signature result;
the obtaining unit 510 is further configured to send the first signature result to the Handle server, so that the Handle server compares the first signature result with the second signature result, and when the first signature result and the second signature result are consistent, the Handle server determines that the authentication is passed; when the first signature result is inconsistent with the second signature result, determining that the authentication is not passed; and the second signature result is obtained by the Handle server signing the challenge request according to the private key of the terminal equipment.
Fig. 7 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present disclosure. The electronic device may include a processor 701, a machine-readable storage medium 702 having machine-executable instructions stored thereon. The processor 701 and the machine-readable storage medium 702 may communicate via a system bus 703. Also, the processor 701 may perform the above-described video identity parsing method based on the Handle system by reading and executing machine executable instructions corresponding to the video identity parsing control logic in the machine readable storage medium 702.
The machine-readable storage medium 702 referred to herein may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.
In some embodiments, there is also provided a machine-readable storage medium having stored therein machine-executable instructions that, when executed by a processor, implement the Handle system-based video identity resolution method described above. For example, the machine-readable storage medium may be a ROM, a RAM, a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and so forth.
Referring to fig. 8, fig. 8 is a schematic structural diagram of a video identifier parsing system based on a Handle system according to an embodiment of the present application, and as shown in fig. 8, the video identifier parsing system based on a Handle system may include a terminal device, a LHS service site, and a Handle server; wherein:
the terminal equipment is used for acquiring LHS service site information matched with the identification prefix according to the identification prefix of the video identification to be analyzed, and sending a video identification analysis request aiming at the video identification to be analyzed to an LHS service site according to the LHS service site information;
the LHS service site is used for determining a Handle server matched with the identifier suffix according to the identifier suffix of the video identifier to be analyzed carried in the video identifier analysis request, and sending the video identifier analysis request to the Handle server;
the Handle server is used for encrypting and storing video data of security video monitoring equipment in the industrial internet, respectively sending encrypted video data to the terminal equipment when receiving the video identification analysis request, and sending a video data encryption key to the terminal equipment, wherein the video data encryption key is sent after the terminal equipment is authenticated;
and the terminal equipment is also used for decrypting the encrypted video data according to the video data encryption key.
In some embodiments, the Handle server is specifically configured to send a challenge request to the terminal device;
the terminal device is specifically configured to sign the challenge request according to a preset private key to obtain a first signature result, and send the first signature result to the Handle server;
the Handle server is specifically used for comparing the first signature result with the second signature result and determining that the authentication is passed when the first signature result is consistent with the second signature result; when the first signature result is inconsistent with the second signature result, determining that the authentication is not passed; and the second signature result is obtained by the Handle server signing the challenge request according to the private key of the terminal equipment.
In some embodiments, as shown in fig. 9, the Handle system based video identity resolution system may further include: a key management server; wherein:
the Handle server is specifically configured to send a private key acquisition request to a key management server to acquire a private key of the terminal device;
the key management server is used for sending the key of the terminal equipment to the Handle server;
the Handle server is specifically configured to sign the challenge request by using the private key of the terminal device to obtain a second signature result.
In some embodiments, the Handle server is specifically configured to send a video data encryption key encrypted in a pre-negotiated encryption manner to the terminal device after the terminal device is authenticated, where the video data encryption key is obtained by the Handle server from a key management server;
the terminal device is specifically configured to receive the encrypted video data encryption key sent by the Handle server, and decrypt the encrypted video data encryption key according to a pre-negotiated decryption manner to obtain the video data encryption key.
Illustratively, the structure of the terminal device may be as shown in fig. 5, fig. 6 or fig. 7.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (10)

1. A video identification analysis method based on a Handle system is characterized by comprising the following steps:
the method comprises the steps that terminal equipment acquires LHS service site information matched with an identification prefix according to the identification prefix of a video identification to be analyzed;
the terminal equipment sends a video identifier analysis request aiming at the video identifier to be analyzed to an LHS service site according to the LHS service site information, so that the LHS service site determines a Handle server matched with the identifier suffix according to the identifier suffix of the video identifier to be analyzed carried in the video identifier analysis request, and sends the video identifier analysis request to the Handle server, wherein the Handle server is used for encrypting and storing video data of security and protection video monitoring equipment in the industrial internet;
the terminal equipment receives encrypted video data sent by the Handle server and receives a video data encryption key sent by the Handle server; the video data encryption key is sent by the Handle server after the terminal equipment is authenticated;
and the terminal equipment decrypts the encrypted video data according to the video data encryption key.
2. The method of claim 1, wherein the Handle server authenticates the terminal device by:
the terminal equipment receives a challenge request sent by the Handle server;
the terminal equipment signs the inquiry request according to a preset private key to obtain a first signature result;
the terminal equipment sends the first signature result to the Handle server so that the Handle server compares the first signature result with the second signature result and determines that the authentication is passed when the first signature result is consistent with the second signature result; when the first signature result is inconsistent with the second signature result, determining that the authentication is not passed; and the second signature result is obtained by the Handle server signing the challenge request according to the private key of the terminal equipment.
3. The method as claimed in claim 2, wherein the signing of the challenge request by the Handle server according to the private key of the terminal device comprises:
the Handle server sends a private key acquisition request to a key management server to acquire a private key of the terminal equipment;
and the Handle server receives the private key of the terminal equipment sent by the key management server, and signs the inquiry request by using the private key of the terminal equipment to obtain a second signature result.
4. The method according to claim 1, wherein the receiving, by the terminal device, the video data encryption key sent by the Handle server comprises:
after the terminal equipment is authenticated, the Handle server sends a video data encryption key encrypted according to a pre-negotiated encryption mode to the terminal equipment, and the video data encryption key is acquired from a key management server by the Handle server;
and the terminal equipment receives the encrypted video data encryption key sent by the Handle server and decrypts the encrypted video data encryption key according to a pre-negotiated decryption mode to obtain the video data encryption key.
5. The utility model provides a video identification analytical equipment based on Handle system, is applied to terminal equipment which characterized in that, the device includes:
the acquisition unit is used for acquiring LHS service site information matched with the identification prefix according to the identification prefix of the video identification to be analyzed;
the acquisition unit is further configured to send a video identifier parsing request for the video identifier to be parsed to an LHS service site according to the LHS service site information, so that the LHS service site determines a Handle server matched with the identifier suffix according to the identifier suffix of the video identifier to be parsed carried in the video identifier parsing request, and sends the video identifier parsing request to the Handle server, where the Handle server is configured to encrypt and store video data of security and protection video monitoring equipment in the industrial internet;
the acquisition unit is further used for receiving the encrypted video data sent by the Handle server and receiving a video data encryption key sent by the Handle server; the video data encryption keys are respectively sent by the Handle server after the terminal equipment is authenticated;
and the processing unit is used for decrypting the encrypted video data according to the video data encryption key.
6. The apparatus of claim 5,
the acquiring unit is further configured to receive a challenge request sent by the Handle server;
the device further comprises:
the authentication unit is used for signing the challenge request according to a preset private key to obtain a first signature result;
the obtaining unit is further configured to send the first signature result to the Handle server, so that the Handle server compares the first signature result with the second signature result, and when the first signature result is consistent with the second signature result, the Handle server determines that the authentication is passed; when the first signature result is inconsistent with the second signature result, determining that the authentication is not passed; and the second signature result is obtained by the Handle server signing the challenge request according to the private key of the terminal equipment.
7. A video identification parsing system based on a Handle system is characterized by comprising: the system comprises terminal equipment, LHS service sites and a Handle server; wherein:
the terminal equipment is used for acquiring LHS service site information matched with the identification prefix according to the identification prefix of the video identification to be analyzed, and sending a video identification analysis request aiming at the video identification to be analyzed to an LHS service site according to the LHS service site information;
the LHS service site is used for determining a Handle server matched with the identifier suffix according to the identifier suffix of the video identifier to be analyzed carried in the video identifier analysis request, and sending the video identifier analysis request to the Handle server;
the Handle server is used for encrypting and storing video data of security video monitoring equipment in the industrial internet, respectively sending encrypted video data to the terminal equipment when receiving the video identification analysis request, and sending a video data encryption key to the terminal equipment, wherein the video data encryption key is sent after the terminal equipment is authenticated;
and the terminal equipment is also used for decrypting the encrypted video data according to the video data encryption key.
8. The system of claim 7,
the Handle server is specifically configured to send a challenge request to the terminal device;
the terminal device is specifically configured to sign the challenge request according to a preset private key to obtain a first signature result, and send the first signature result to the Handle server;
the Handle server is specifically used for comparing the first signature result with the second signature result and determining that the authentication is passed when the first signature result is consistent with the second signature result; when the first signature result is inconsistent with the second signature result, determining that the authentication is not passed; and the second signature result is obtained by the Handle server signing the challenge request according to the private key of the terminal equipment.
9. The system of claim 8, further comprising: a key management server; wherein:
the Handle server is specifically configured to send a private key acquisition request to a key management server to acquire a private key of the terminal device;
the key management server is used for sending the key of the terminal equipment to the Handle server;
the Handle server is specifically configured to sign the challenge request by using the private key of the terminal device to obtain a second signature result.
10. The system of claim 9,
the Handle server is specifically configured to send a video data encryption key encrypted in a pre-negotiated encryption manner to the terminal device after the terminal device is authenticated, and the video data encryption key is obtained by the Handle server from a key management server;
the terminal device is specifically configured to receive the encrypted video data encryption key sent by the Handle server, and decrypt the encrypted video data encryption key according to a pre-negotiated decryption manner to obtain the video data encryption key.
CN202110231533.0A 2021-03-02 2021-03-02 Video identification analysis method, device and system based on Handle system Active CN113114619B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110231533.0A CN113114619B (en) 2021-03-02 2021-03-02 Video identification analysis method, device and system based on Handle system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110231533.0A CN113114619B (en) 2021-03-02 2021-03-02 Video identification analysis method, device and system based on Handle system

Publications (2)

Publication Number Publication Date
CN113114619A true CN113114619A (en) 2021-07-13
CN113114619B CN113114619B (en) 2022-03-25

Family

ID=76709672

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110231533.0A Active CN113114619B (en) 2021-03-02 2021-03-02 Video identification analysis method, device and system based on Handle system

Country Status (1)

Country Link
CN (1) CN113114619B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115834926A (en) * 2022-11-21 2023-03-21 深圳市超时代软件有限公司 Video encryption method based on H.265 entropy coding binarization
CN116366252A (en) * 2023-03-17 2023-06-30 北京信源电子信息技术有限公司 DOA-based data protection method for handle identification analysis technology
CN117896188A (en) * 2024-03-14 2024-04-16 杭州海康威视数字技术股份有限公司 Safety analysis method, device, equipment and system for equipment identification

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040162076A1 (en) * 2003-02-14 2004-08-19 Atul Chowdry System and method for simplified secure universal access and control of remote networked electronic resources for the purposes of assigning and coordinationg complex electronic tasks
CN107197001A (en) * 2017-05-05 2017-09-22 工业和信息化部电信研究院 A kind of industry internet module information method
CN110708322A (en) * 2019-10-12 2020-01-17 北京工业大学 Method for realizing proxy service of industrial internet identification analysis system
CN111200605A (en) * 2019-12-31 2020-05-26 网络通信与安全紫金山实验室 Malicious identification defense method and system based on Handle system
CN111221854A (en) * 2019-12-31 2020-06-02 网络通信与安全紫金山实验室 Intelligent routing method oriented to Handle identification analysis
CN112260872A (en) * 2020-10-22 2021-01-22 北京理工大学 Identification heterogeneous recognition method and system based on character string matching

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040162076A1 (en) * 2003-02-14 2004-08-19 Atul Chowdry System and method for simplified secure universal access and control of remote networked electronic resources for the purposes of assigning and coordinationg complex electronic tasks
CN107197001A (en) * 2017-05-05 2017-09-22 工业和信息化部电信研究院 A kind of industry internet module information method
CN110708322A (en) * 2019-10-12 2020-01-17 北京工业大学 Method for realizing proxy service of industrial internet identification analysis system
CN111200605A (en) * 2019-12-31 2020-05-26 网络通信与安全紫金山实验室 Malicious identification defense method and system based on Handle system
CN111221854A (en) * 2019-12-31 2020-06-02 网络通信与安全紫金山实验室 Intelligent routing method oriented to Handle identification analysis
CN112260872A (en) * 2020-10-22 2021-01-22 北京理工大学 Identification heterogeneous recognition method and system based on character string matching

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
潘璇: "基于Handle System的机构知识库软件应用分析", 《情报探索》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115834926A (en) * 2022-11-21 2023-03-21 深圳市超时代软件有限公司 Video encryption method based on H.265 entropy coding binarization
CN115834926B (en) * 2022-11-21 2023-11-21 深圳市超时代软件有限公司 Video encryption method based on H.265 entropy coding binarization
CN116366252A (en) * 2023-03-17 2023-06-30 北京信源电子信息技术有限公司 DOA-based data protection method for handle identification analysis technology
CN116366252B (en) * 2023-03-17 2024-01-30 北京信源电子信息技术有限公司 DOA-based data protection method for handle identification analysis technology
CN117896188A (en) * 2024-03-14 2024-04-16 杭州海康威视数字技术股份有限公司 Safety analysis method, device, equipment and system for equipment identification

Also Published As

Publication number Publication date
CN113114619B (en) 2022-03-25

Similar Documents

Publication Publication Date Title
CN113114619B (en) Video identification analysis method, device and system based on Handle system
CN109983752B (en) Network address with encoded DNS level information
CN108471432B (en) Method for preventing network application program interface from being attacked maliciously
CN107707504B (en) Streaming media playing method and system, server and client
CN108989848B (en) Video resource file acquisition method and management system
CN109218825B (en) Video encryption system
KR101508497B1 (en) Data certification and acquisition method for vehicle
CN109151508B (en) Video encryption method
CN108809940B (en) Interactive encryption method for power grid system server and client
CN107483505B (en) Method and system for protecting user privacy in video chat
Ling et al. Novel packet size-based covert channel attacks against anonymizer
CN109996095B (en) Method, system and medium for preventing stealing link playing in network video on demand
CN110891066A (en) Proxy anonymous communication method based on homomorphic encryption scheme
CN107517194B (en) Return source authentication method and device of content distribution network
WO2017185978A1 (en) Method and device for parsing packet
CN106789963B (en) Asymmetric white-box password encryption method, device and equipment
US20060031680A1 (en) System and method for controlling access to a computerized entity
US8583921B1 (en) Method and system for identity authentication
KR100956452B1 (en) A method for protecting from phishing attack
CN113221188A (en) AIS data evidence storing method, AIS data evidence obtaining device and AIS data evidence storing medium
KR20140033824A (en) Encryption systems and methods using hash value as symmetric key in the smart device
CN111602380A (en) Method and system for identifying a user terminal for receiving streaming protected multimedia content
CN115766119A (en) Communication method, communication apparatus, communication system, and storage medium
CN112104874A (en) Data transmission method and system
Jia et al. A Critique of a Lightweight Identity Authentication Protocol for Vehicular Networks.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant